Windows Analysis Report
SOA Payment for June 30th.exe

Overview

General Information

Sample name: SOA Payment for June 30th.exe
Analysis ID: 1467838
MD5: 63128eeca6e0dabeddfd68c0517d4c91
SHA1: eb43eb41464d255d312b6b2aa14428ccd16156da
SHA256: 45d0c2ec2ede02e8b8ef535346a4e7e06fd52ba27995a15a5f1a0b11e305d4f7
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 3.2.SOA Payment for June 30th.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}
Multi AV Scanner detection for submitted file
Source: SOA Payment for June 30th.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SOA Payment for June 30th.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SOA Payment for June 30th.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SOA Payment for June 30th.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: dhSR.pdbSHA256 source: SOA Payment for June 30th.exe
Source: Binary string: dhSR.pdb source: SOA Payment for June 30th.exe

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 3.2.SOA Payment for June 30th.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.4801698.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49715 -> 163.44.198.71:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View ASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49715 -> 163.44.198.71:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: nffplp.com
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597811398.000000000102F000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597811398.0000000000F90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SOA Payment for June 30th.exe, 00000003.00000002.4602655404.00000000067B2000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597811398.000000000102F000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597811398.0000000001021000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597811398.000000000102F000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002D81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: SOA Payment for June 30th.exe, 00000000.00000002.2155363540.000000000473E000.00000004.00000800.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597811398.0000000001021000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597596271.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nffplp.com
Source: SOA Payment for June 30th.exe, 00000003.00000002.4602655404.00000000067B2000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597811398.0000000001021000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597811398.000000000102F000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002D81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SOA Payment for June 30th.exe String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: SOA Payment for June 30th.exe, 00000000.00000002.2155363540.000000000473E000.00000004.00000800.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597596271.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597811398.0000000001021000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597811398.000000000102F000.00000004.00000020.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, POq2Ux.cs .Net Code: mDt2FXita0Y
Source: 0.2.SOA Payment for June 30th.exe.4801698.7.raw.unpack, POq2Ux.cs .Net Code: mDt2FXita0Y
Installs a global keyboard hook
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SOA Payment for June 30th.exe Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.SOA Payment for June 30th.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SOA Payment for June 30th.exe.4801698.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SOA Payment for June 30th.exe.4801698.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.SOA Payment for June 30th.exe.6f70000.8.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Source: 0.2.SOA Payment for June 30th.exe.2dcb678.3.raw.unpack, -Module-.cs Large array initialization: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E: array initializer size 3088
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: SOA Payment for June 30th.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_0133DDEC 0_2_0133DDEC
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_052F0006 0_2_052F0006
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_052F0040 0_2_052F0040
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_052FE8E0 0_2_052FE8E0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058BD5D0 0_2_058BD5D0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B6D50 0_2_058B6D50
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8B98 0_2_058B8B98
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058BD5C0 0_2_058BD5C0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B75F8 0_2_058B75F8
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B6505 0_2_058B6505
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8487 0_2_058B8487
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B84D3 0_2_058B84D3
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058BC7B0 0_2_058BC7B0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B87C3 0_2_058B87C3
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058BC7C0 0_2_058BC7C0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B87F9 0_2_058B87F9
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8720 0_2_058B8720
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8762 0_2_058B8762
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B869E 0_2_058B869E
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B7608 0_2_058B7608
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8608 0_2_058B8608
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8638 0_2_058B8638
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B51E4 0_2_058B51E4
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8140 0_2_058B8140
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8150 0_2_058B8150
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8D2B 0_2_058B8D2B
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058BCD60 0_2_058BCD60
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058BCD70 0_2_058BCD70
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B6CE9 0_2_058B6CE9
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B5E0A 0_2_058B5E0A
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8994 0_2_058B8994
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B893F 0_2_058B893F
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B5940 0_2_058B5940
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B5950 0_2_058B5950
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B4888 0_2_058B4888
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B88B5 0_2_058B88B5
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8859 0_2_058B8859
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8850 0_2_058B8850
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8A9C 0_2_058B8A9C
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8A08 0_2_058B8A08
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8A74 0_2_058B8A74
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_070744D8 0_2_070744D8
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_070763F0 0_2_070763F0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_07075FB8 0_2_07075FB8
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_0707BDB0 0_2_0707BDB0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_07074900 0_2_07074900
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_07074910 0_2_07074910
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_07076828 0_2_07076828
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_02BB4AC0 3_2_02BB4AC0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_02BBB929 3_2_02BBB929
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_02BB3EA8 3_2_02BB3EA8
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_02BBECC8 3_2_02BBECC8
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_02BB41F0 3_2_02BB41F0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_02BBAD08 3_2_02BBAD08
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_069B9884 3_2_069B9884
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A1C280 3_2_06A1C280
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A15268 3_2_06A15268
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A1B31A 3_2_06A1B31A
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A13140 3_2_06A13140
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A17E68 3_2_06A17E68
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A17788 3_2_06A17788
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A1E4A8 3_2_06A1E4A8
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A10040 3_2_06A10040
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A159BB 3_2_06A159BB
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_070537D8 3_2_070537D8
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_06A10038 3_2_06A10038
Sample file is different than original file name gathered from version info
Source: SOA Payment for June 30th.exe, 00000000.00000002.2152768594.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000000.00000002.2155363540.000000000473E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000000.00000002.2155363540.000000000473E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000000.00000000.2142054703.000000000096C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedhSR.exeD vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000000.00000002.2154408706.0000000002D61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000000.00000002.2162363719.0000000006F70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000000.00000002.2163081890.000000000E820000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000000.00000002.2154408706.0000000002D7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRT.dll. vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597741905.0000000000F39000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597596271.000000000043E000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename46da3e76-ea11-4ef3-9ed6-348209ad609f.exe4 vs SOA Payment for June 30th.exe
Source: SOA Payment for June 30th.exe Binary or memory string: OriginalFilenamedhSR.exeD vs SOA Payment for June 30th.exe
Uses 32bit PE files
Source: SOA Payment for June 30th.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.SOA Payment for June 30th.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SOA Payment for June 30th.exe.4801698.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SOA Payment for June 30th.exe.4801698.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: SOA Payment for June 30th.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, ZTFEpdjP8zw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, WnRNxU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, 2njIk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, I5ElxL.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, QQSiOsa4hPS.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, FdHU4eb83Z7.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, PgU4rjWHipooK17TjE.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, PgU4rjWHipooK17TjE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, XNSlb6B08qHNUtpO6P.cs Security API names: _0020.SetAccessControl
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, XNSlb6B08qHNUtpO6P.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, XNSlb6B08qHNUtpO6P.cs Security API names: _0020.AddAccessRule
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, PgU4rjWHipooK17TjE.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, PgU4rjWHipooK17TjE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, XNSlb6B08qHNUtpO6P.cs Security API names: _0020.SetAccessControl
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, XNSlb6B08qHNUtpO6P.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, XNSlb6B08qHNUtpO6P.cs Security API names: _0020.AddAccessRule
Source: 0.2.SOA Payment for June 30th.exe.2d7710c.0.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SOA Payment for June 30th.exe.2e1496c.4.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SOA Payment for June 30th.exe.6ff0000.10.raw.unpack, ReactionVessel.cs Suspicious method names: .ReactionVessel.Inject
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SOA Payment for June 30th.exe.log Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Mutant created: NULL
Source: SOA Payment for June 30th.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SOA Payment for June 30th.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SOA Payment for June 30th.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\SOA Payment for June 30th.exe "C:\Users\user\Desktop\SOA Payment for June 30th.exe"
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process created: C:\Users\user\Desktop\SOA Payment for June 30th.exe "C:\Users\user\Desktop\SOA Payment for June 30th.exe"
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process created: C:\Users\user\Desktop\SOA Payment for June 30th.exe "C:\Users\user\Desktop\SOA Payment for June 30th.exe" Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: SOA Payment for June 30th.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SOA Payment for June 30th.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SOA Payment for June 30th.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: dhSR.pdbSHA256 source: SOA Payment for June 30th.exe
Source: Binary string: dhSR.pdb source: SOA Payment for June 30th.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SOA Payment for June 30th.exe, MainForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, XNSlb6B08qHNUtpO6P.cs .Net Code: ltg2Lg3a4G System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA Payment for June 30th.exe.6f70000.8.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA Payment for June 30th.exe.6f70000.8.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, XNSlb6B08qHNUtpO6P.cs .Net Code: ltg2Lg3a4G System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA Payment for June 30th.exe.2dcb678.3.raw.unpack, -Module-.cs .Net Code: _200D_200D_202B_206F_206A_206B_202B_200B_200D_206D_200C_206B_206A_200B_202E_200C_200E_202A_200E_206D_206F_202D_206F_206D_206C_200F_206A_202D_206C_202B_206A_206F_202A_206A_200E_200F_200B_200F_202E_202D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.SOA Payment for June 30th.exe.2dcb678.3.raw.unpack, PingPong.cs .Net Code: _206E_206D_206E_206E_202E_202E_200C_206A_202D_206E_200C_202B_200F_206E_200B_202E_200E_202A_202D_200E_200E_200E_200E_202B_200E_202C_200C_200B_202C_202D_200C_202A_200B_200C_206D_206B_202B_202A_202E_200C_202E System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: SOA Payment for June 30th.exe Static PE information: 0xFDB78393 [Thu Nov 20 22:13:39 2104 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_058B8359 push 8BBCEB50h; ret 0_2_058B835F
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_070794DF push ecx; ret 0_2_070794E0
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_070704E5 push edi; ret 0_2_070704E6
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_07078F85 push edi; ret 0_2_07078F8D
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_07073EE5 push ds; retn 6BA9h 0_2_07073EFF
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 0_2_0707D9DF push dword ptr [edx+ebp*2-75h]; iretd 0_2_0707D9EF
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_070511B0 push es; ret 3_2_070511C0
Source: SOA Payment for June 30th.exe Static PE information: section name: .text entropy: 7.547057220379541
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, YwLWgyXPBAopIKbCrb.cs High entropy of concatenated method names: 'p1CjymAypU', 'bYSja073cG', 'rMpjtrsjbl', 'Hiht3ElZWG', 'TcGtz5t9ay', 'VW8jQfnytT', 'i4cjVBllS9', 'euRjC28ivK', 'W0Xj6P4hcQ', 'OGbj2txRvM'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, rKRWGqu92A81SjLtMH.cs High entropy of concatenated method names: 'RbfpWe5iOC', 'Ke1pxb75TH', 'ACspPKllji', 'z3rpZ4Dhhr', 'NWMph6Y45l', 'ljHpEke7xd', 'blYpXdwvn6', 'exHpgbAL5b', 'B9Np1hjEnE', 'jjMp9wSWhY'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, n9wLcrbsxI69ytHYVi.cs High entropy of concatenated method names: 'sulMYDhb7T', 'YfHM3Krrun', 'imWUQo8kbG', 'mMvUVbp9Us', 'j13M9H22XH', 'YZwMi4udDQ', 'LfAMudMEyZ', 'xmPM8veoMw', 'BGMM7J62D3', 'Gc5Mc5rmVw'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, mrA5CeP2jpv0OMJS3f.cs High entropy of concatenated method names: 'AAntsEtvlR', 'TwEtO6mL9l', 'QMWtKWj6J5', 'HGTtjJydSw', 'sFetBnb7uS', 'qA2Kv8fuG3', 'JMdKbrKgUQ', 'UV4KrciJ0T', 'JRBKYohqVG', 'FyuKw8VWlE'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, Fsq0g0YA0jMpE3rSut.cs High entropy of concatenated method names: 'Sf6UyaGKYw', 'iHcUOhXqaI', 'yMKUaKq6kf', 'PV0UK06Ods', 'ISTUtWEEbT', 'iaOUjf4XK8', 'FYiUBsyk1J', 'GNZUShKG6U', 'AOOUI4YESc', 'IOJU0HVtCy'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, SZrbkQzM8muv9CuKi5.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ih9Gpml2C0', 'iFyGH2eZp3', 'hUuGD1NNxX', 'ihYGMXklaK', 'q9ZGUrxJgu', 'I7rGGawwAT', 'OZ2G5Hi7KZ'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, W5EcZlacMxmvZdcZ3f.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ytCCwu7XDq', 'giNC3Yfdlm', 'LfvCzBksSY', 'DsU6QgfFIS', 'gZB6VbctNC', 'RDS6CbYpS8', 'vB666iW3po', 'Os9QRft6CJNRVcAQHuk'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, Ewjs7PkGDxP0J1CSi9.cs High entropy of concatenated method names: 'fPFjdEDI2v', 'ukxjn0XFUY', 'Q4rjLVvN5v', 'KwgjofCs2I', 'X0qjADvVFR', 'q7tjeEnaEb', 'DdHjfoe5iY', 'aPpjWFZNYo', 'M2vjxr4gDa', 'caKjTxbqn0'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, hUssHOchm4P0wyP4QI.cs High entropy of concatenated method names: 'ToString', 'eyWD9oADua', 'pEODZE3ScG', 'Y3HDNqOrpo', 'S0iDhAI09j', 'kEKDEayftS', 'SvHDms980V', 'jLYDXTJwG7', 'DSNDgW6pnW', 'MxZDk6lYt7'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, CLuLMZxWyEmIQB6fb1.cs High entropy of concatenated method names: 'N0Rao0AQgv', 'zR7aechmii', 'zkwaWlv784', 'HF1ax7fSw0', 's2ZaHjrVgq', 'QS1aDZxlxS', 'eLKaMnC7ZL', 'REBaUh8Zht', 's0caGaForx', 'wAUa5ITrn3'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, hLLm27O82It5qtK8OH.cs High entropy of concatenated method names: 'Dispose', 'b0xVw58F8h', 'JAuCZDVFkI', 'MCeFFXJ8pa', 'APsV3q0g0A', 'mjMVzpE3rS', 'ProcessDialogKey', 'QtuCQBqHLW', 'lBQCVbwxrx', 'zU8CCGLPXR'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, G5L0jwCtfUw2t3wt08.cs High entropy of concatenated method names: 'J0QLCLoBg', 'oVao1ZWsW', 'xggeuS1Jf', 'CD6fjmsGT', 'tLax7IDE0', 'NnRTtcgEy', 'qhsEGDe0dvTJNTM9cE', 'a4sNl04hhx0WHo9Nhn', 'USSUbJh3C', 'V0P5yrXRX'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, KPASsxV6qihCusmusuS.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Fnb58I4jRO', 'aIO579Xg9I', 'GO55c6iCN1', 'QPh54aXU1D', 'cd35vj1c6T', 'ey25bDNAKw', 'Ha95rRyYmq'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, PBqHLWwSBQbwxrxnU8.cs High entropy of concatenated method names: 'Q7jUPQ9wc8', 'IPdUZN2Qh8', 'VPMUNa0I5e', 'SrWUhck10I', 'hnwU8AIATJ', 'opHUEMh12q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, sLPXRI3dx5rsWTToAw.cs High entropy of concatenated method names: 'M7VGVmnP3V', 'XslG6lxD2c', 'TG8G2Zr5XC', 'pPqGyV5PLv', 'qXeGOFXtM6', 'AbjGK0BmiI', 'Oi0Gt9dgaR', 'QT2Ur1wgnl', 'WB1UY2wHV7', 'JFgUwkFgtk'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, PP7L6b8iCrLnvpN05v.cs High entropy of concatenated method names: 'fByH1f65pQ', 'MRUHilct0b', 'cUYH8YpoiV', 'bKTH730pkF', 'oPiHZvhyve', 'eSWHNE0DQm', 'WytHh8rGEK', 'vJjHE3GRnk', 'MvvHmv5GEU', 'qJBHXsFPFF'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, svnjfwTmZsLLWF8IvJ.cs High entropy of concatenated method names: 'bepKARoegR', 'O1OKfhZU1s', 's3XaNvODs5', 'rleahhdRfp', 'iQ2aEKgI2Q', 'OXZamn94SV', 'a6QaXtsTfn', 'U0Cagu2eh8', 'aAGaks0a2C', 'NCAa1cJ4jY'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, n7hCtg2HEe17oOPfG3.cs High entropy of concatenated method names: 'JjiVjgU4rj', 'oipVBooK17', 'GWyVIEmIQB', 'dfbV015vnj', 'w8IVHvJIrA', 'sCeVD2jpv0', 'yjDd1fFYxnyWo1yJQp', 'BjqKg5xtEfmy5QFqtl', 'EDmVV8j4vt', 'Y6tV67RR03'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, PgU4rjWHipooK17TjE.cs High entropy of concatenated method names: 'JGWO862jMV', 'sgxO7pv3uM', 'f2jOcZqFZG', 'nMWO4aTHp5', 'h6NOvHybsn', 'zSKObcPb0u', 'idEOrRWBje', 'tBEOY4Wr6f', 'r6EOwZ8kli', 'fJHO3rQCmp'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, sLnj3yVQYhKYGc6N2e0.cs High entropy of concatenated method names: 'cCYGdtkgrO', 'DV4GnM1U7X', 'eTiGLmfBPB', 'xM3Go8a2Lk', 'hoJGA0ioX5', 'OTEGenyBcJ', 'iplGfhmSYC', 'zmdGWxQY6h', 'EvCGxxRsfJ', 'JyKGTelYYQ'
Source: 0.2.SOA Payment for June 30th.exe.e820000.11.raw.unpack, XNSlb6B08qHNUtpO6P.cs High entropy of concatenated method names: 'NLe6sdmjod', 'YIg6yG3UhQ', 'kWY6OrG7Xh', 'BQg6aqgegk', 'Aku6Ke4xTJ', 'Jgy6tlPDh5', 'biJ6jw1Jvg', 'gsR6BkYVw7', 'sCV6ShVl9X', 'SbF6I7WyMP'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, YwLWgyXPBAopIKbCrb.cs High entropy of concatenated method names: 'p1CjymAypU', 'bYSja073cG', 'rMpjtrsjbl', 'Hiht3ElZWG', 'TcGtz5t9ay', 'VW8jQfnytT', 'i4cjVBllS9', 'euRjC28ivK', 'W0Xj6P4hcQ', 'OGbj2txRvM'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, rKRWGqu92A81SjLtMH.cs High entropy of concatenated method names: 'RbfpWe5iOC', 'Ke1pxb75TH', 'ACspPKllji', 'z3rpZ4Dhhr', 'NWMph6Y45l', 'ljHpEke7xd', 'blYpXdwvn6', 'exHpgbAL5b', 'B9Np1hjEnE', 'jjMp9wSWhY'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, n9wLcrbsxI69ytHYVi.cs High entropy of concatenated method names: 'sulMYDhb7T', 'YfHM3Krrun', 'imWUQo8kbG', 'mMvUVbp9Us', 'j13M9H22XH', 'YZwMi4udDQ', 'LfAMudMEyZ', 'xmPM8veoMw', 'BGMM7J62D3', 'Gc5Mc5rmVw'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, mrA5CeP2jpv0OMJS3f.cs High entropy of concatenated method names: 'AAntsEtvlR', 'TwEtO6mL9l', 'QMWtKWj6J5', 'HGTtjJydSw', 'sFetBnb7uS', 'qA2Kv8fuG3', 'JMdKbrKgUQ', 'UV4KrciJ0T', 'JRBKYohqVG', 'FyuKw8VWlE'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, Fsq0g0YA0jMpE3rSut.cs High entropy of concatenated method names: 'Sf6UyaGKYw', 'iHcUOhXqaI', 'yMKUaKq6kf', 'PV0UK06Ods', 'ISTUtWEEbT', 'iaOUjf4XK8', 'FYiUBsyk1J', 'GNZUShKG6U', 'AOOUI4YESc', 'IOJU0HVtCy'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, SZrbkQzM8muv9CuKi5.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ih9Gpml2C0', 'iFyGH2eZp3', 'hUuGD1NNxX', 'ihYGMXklaK', 'q9ZGUrxJgu', 'I7rGGawwAT', 'OZ2G5Hi7KZ'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, W5EcZlacMxmvZdcZ3f.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ytCCwu7XDq', 'giNC3Yfdlm', 'LfvCzBksSY', 'DsU6QgfFIS', 'gZB6VbctNC', 'RDS6CbYpS8', 'vB666iW3po', 'Os9QRft6CJNRVcAQHuk'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, Ewjs7PkGDxP0J1CSi9.cs High entropy of concatenated method names: 'fPFjdEDI2v', 'ukxjn0XFUY', 'Q4rjLVvN5v', 'KwgjofCs2I', 'X0qjADvVFR', 'q7tjeEnaEb', 'DdHjfoe5iY', 'aPpjWFZNYo', 'M2vjxr4gDa', 'caKjTxbqn0'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, hUssHOchm4P0wyP4QI.cs High entropy of concatenated method names: 'ToString', 'eyWD9oADua', 'pEODZE3ScG', 'Y3HDNqOrpo', 'S0iDhAI09j', 'kEKDEayftS', 'SvHDms980V', 'jLYDXTJwG7', 'DSNDgW6pnW', 'MxZDk6lYt7'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, CLuLMZxWyEmIQB6fb1.cs High entropy of concatenated method names: 'N0Rao0AQgv', 'zR7aechmii', 'zkwaWlv784', 'HF1ax7fSw0', 's2ZaHjrVgq', 'QS1aDZxlxS', 'eLKaMnC7ZL', 'REBaUh8Zht', 's0caGaForx', 'wAUa5ITrn3'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, hLLm27O82It5qtK8OH.cs High entropy of concatenated method names: 'Dispose', 'b0xVw58F8h', 'JAuCZDVFkI', 'MCeFFXJ8pa', 'APsV3q0g0A', 'mjMVzpE3rS', 'ProcessDialogKey', 'QtuCQBqHLW', 'lBQCVbwxrx', 'zU8CCGLPXR'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, G5L0jwCtfUw2t3wt08.cs High entropy of concatenated method names: 'J0QLCLoBg', 'oVao1ZWsW', 'xggeuS1Jf', 'CD6fjmsGT', 'tLax7IDE0', 'NnRTtcgEy', 'qhsEGDe0dvTJNTM9cE', 'a4sNl04hhx0WHo9Nhn', 'USSUbJh3C', 'V0P5yrXRX'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, KPASsxV6qihCusmusuS.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Fnb58I4jRO', 'aIO579Xg9I', 'GO55c6iCN1', 'QPh54aXU1D', 'cd35vj1c6T', 'ey25bDNAKw', 'Ha95rRyYmq'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, PBqHLWwSBQbwxrxnU8.cs High entropy of concatenated method names: 'Q7jUPQ9wc8', 'IPdUZN2Qh8', 'VPMUNa0I5e', 'SrWUhck10I', 'hnwU8AIATJ', 'opHUEMh12q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, sLPXRI3dx5rsWTToAw.cs High entropy of concatenated method names: 'M7VGVmnP3V', 'XslG6lxD2c', 'TG8G2Zr5XC', 'pPqGyV5PLv', 'qXeGOFXtM6', 'AbjGK0BmiI', 'Oi0Gt9dgaR', 'QT2Ur1wgnl', 'WB1UY2wHV7', 'JFgUwkFgtk'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, PP7L6b8iCrLnvpN05v.cs High entropy of concatenated method names: 'fByH1f65pQ', 'MRUHilct0b', 'cUYH8YpoiV', 'bKTH730pkF', 'oPiHZvhyve', 'eSWHNE0DQm', 'WytHh8rGEK', 'vJjHE3GRnk', 'MvvHmv5GEU', 'qJBHXsFPFF'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, svnjfwTmZsLLWF8IvJ.cs High entropy of concatenated method names: 'bepKARoegR', 'O1OKfhZU1s', 's3XaNvODs5', 'rleahhdRfp', 'iQ2aEKgI2Q', 'OXZamn94SV', 'a6QaXtsTfn', 'U0Cagu2eh8', 'aAGaks0a2C', 'NCAa1cJ4jY'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, n7hCtg2HEe17oOPfG3.cs High entropy of concatenated method names: 'JjiVjgU4rj', 'oipVBooK17', 'GWyVIEmIQB', 'dfbV015vnj', 'w8IVHvJIrA', 'sCeVD2jpv0', 'yjDd1fFYxnyWo1yJQp', 'BjqKg5xtEfmy5QFqtl', 'EDmVV8j4vt', 'Y6tV67RR03'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, PgU4rjWHipooK17TjE.cs High entropy of concatenated method names: 'JGWO862jMV', 'sgxO7pv3uM', 'f2jOcZqFZG', 'nMWO4aTHp5', 'h6NOvHybsn', 'zSKObcPb0u', 'idEOrRWBje', 'tBEOY4Wr6f', 'r6EOwZ8kli', 'fJHO3rQCmp'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, sLnj3yVQYhKYGc6N2e0.cs High entropy of concatenated method names: 'cCYGdtkgrO', 'DV4GnM1U7X', 'eTiGLmfBPB', 'xM3Go8a2Lk', 'hoJGA0ioX5', 'OTEGenyBcJ', 'iplGfhmSYC', 'zmdGWxQY6h', 'EvCGxxRsfJ', 'JyKGTelYYQ'
Source: 0.2.SOA Payment for June 30th.exe.49488f0.5.raw.unpack, XNSlb6B08qHNUtpO6P.cs High entropy of concatenated method names: 'NLe6sdmjod', 'YIg6yG3UhQ', 'kWY6OrG7Xh', 'BQg6aqgegk', 'Aku6Ke4xTJ', 'Jgy6tlPDh5', 'biJ6jw1Jvg', 'gsR6BkYVw7', 'sCV6ShVl9X', 'SbF6I7WyMP'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SOA Payment for June 30th.exe PID: 1576, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SOA Payment for June 30th.exe, 00000000.00000002.2155363540.000000000473E000.00000004.00000800.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, SOA Payment for June 30th.exe, 00000003.00000002.4597596271.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 1080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 2D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 2B00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 9080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: A080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: A290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: B290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: B6A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: C6A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: D6A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: E8A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: F8A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 108A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 118A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 2B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 2D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: 2BD0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Window / User API: threadDelayed 7157 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Window / User API: threadDelayed 2667 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 2696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 4208 Thread sleep count: 7157 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 4208 Thread sleep count: 2667 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -99641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -99532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -99407s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -99282s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -98938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -98813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -98703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -98588s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -98484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -98363s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -98235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -98110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -97985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -97860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -97735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -97610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -97485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -97360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -97235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -97110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -96985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -96860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -96735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -96610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -96485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -96360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -96235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -96110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -95985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -95860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -95735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -95610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -95485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -95360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -95235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -95110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -94985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -94860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -94735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -94610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -94485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -94360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -94235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -94110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe TID: 5528 Thread sleep time: -93985s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 99641 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 99532 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 99407 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 99282 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 98938 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 98813 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 98588 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 98484 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 98363 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 98235 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 98110 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 97985 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 97860 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 97735 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 97610 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 97485 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 97360 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 97235 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 97110 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 96985 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 96860 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 96735 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 96610 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 96485 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 96360 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 96235 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 96110 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 95985 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 95860 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 95735 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 95610 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 95485 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 95360 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 95235 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 95110 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 94985 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 94860 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 94735 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 94610 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 94485 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 94360 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 94235 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 94110 Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Thread delayed: delay time: 93985 Jump to behavior
Source: SOA Payment for June 30th.exe, 00000003.00000002.4599301189.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597596271.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmware
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597596271.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: VMwareVBox
Source: SOA Payment for June 30th.exe, 00000003.00000002.4597811398.000000000105F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Code function: 3_2_02BB70B0 CheckRemoteDebuggerPresent, 3_2_02BB70B0
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Memory written: C:\Users\user\Desktop\SOA Payment for June 30th.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Process created: C:\Users\user\Desktop\SOA Payment for June 30th.exe "C:\Users\user\Desktop\SOA Payment for June 30th.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Users\user\Desktop\SOA Payment for June 30th.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Users\user\Desktop\SOA Payment for June 30th.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.2.SOA Payment for June 30th.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.47c6078.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.4801698.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.4801698.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4599301189.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4599301189.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4597596271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155363540.000000000473E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SOA Payment for June 30th.exe PID: 1576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOA Payment for June 30th.exe PID: 6408, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\SOA Payment for June 30th.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.2.SOA Payment for June 30th.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.47c6078.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.4801698.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.4801698.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4599301189.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4597596271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155363540.000000000473E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SOA Payment for June 30th.exe PID: 1576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOA Payment for June 30th.exe PID: 6408, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.2.SOA Payment for June 30th.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.47c6078.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.4801698.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.4801698.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SOA Payment for June 30th.exe.47c6078.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4599301189.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4599301189.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4597596271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2155363540.000000000473E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SOA Payment for June 30th.exe PID: 1576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SOA Payment for June 30th.exe PID: 6408, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS true
163.44.198.71
 nffplp.com Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true
nffplp.com 163.44.198.71 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
  • URL Reputation: safe
 unknown